You are on page 1of 47

Bluetooth LE 4.0 and 4.

1 (BLE)
Lab 11 Lunch
April 23rd, 2014
Noah Klugman
Josh Adkins

Outline

History of Bluetooth
Introduction to BLE
Architecture
Controller
Host
Applications
Power
Topology
Example: Heartbeat Sensor/App
Competing formats
Citations

History of Bluetooth

First specification developed in 1994 by Ericsson as a cable replacement


2.4 GHz ISM
Named after King Harold Bluetooth of Denmark who helped unify
warring factions
Bluetooth Special Interest Group (SIG) formed in 1998
No licence fee (although companies can still charge you)
7 specifications released since 1998
All backward compatible (except for BLE)
Billions and billions of devices

Outline

History of Bluetooth
Introduction to BLE
Architecture
Controller
Host
Applications
Power
Topology
Example: Heartbeat Sensor/App
Competing formats
Citations

Introduction to BLE

New:
Radio
Protocol stack
Architecture
Qualification engine
But: not backward compatible with Bluetooth Classic (including Bluetooth 4.0 Classic)

world [6]
5

Introduction to BLE

Low latency connection (3ms)


Low power (15ma peak transmit, 1uA sleep)
Designed for coin cells
Designed to send small packets of data (opposed to streaming)
Connect->transmit->disconnect->sleep
Security
128bit AES CCM
Modulation
GFSK @ 2.4 GHz
Adaptive Frequency Hopping
24 bit CRC
Output Power: ~ 10mW (10dBm)

Outline

History of Bluetooth
Introduction to BLE
Architecture
Controller
Host
Applications
Power
Topology
Example: Heartbeat Sensor/App
Competing formats
Citations

Architecture

Apps

Applications

Generic Access Profile


Generic Attribute Profile

Host
Attribute Protocol

Security Manager

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

Architecture: Controller

Radio Control
Connection Logistics / Linking
Radio Testing
Interface to Host

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

Architecture: Controller::Physical Layer

2.4 GHz ISM band


1 Mbps GFSK
40 Channels - 2MHz spacing
Frequency Hopping in connections
Pseudo-random
Set in connection request

Transmit power
-20 to +10dBm
Receive sensitivity
-70 dBm

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Core [5]

Direct Test Mode

Controller

Physical Layer

10

Architecture: Controller::Link Layer Terminology

Transmit only -> advertiser


Receive only -> scanner
Bidirectional advertiser -> advertiser
Bidirectional listener -> initiator
Non-connected states use whitelist to prevent host wakeup

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

Core [5]

11

Architecture: Controller::Link Layer Terminology (BLE 4.0)

Master
can have multiple slaves
determines when slaves listen
determines frequency hopping algorithm
sends connection determination at
connection request, but can update
parameters after connection
if received packet from slave, need not
respond
Slave
only one master
if received packed from master, must
respond

Core [5]

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

12

Architecture: Controller::Link Layer (BLE 4.0)

Upon Advertisement
When advertisement event interval hits all
advertisements packets sent
Upon Connection Attempted
Initiator transmits all connection
parameters to advertiser in Connection
Request
Upon Connection
Physical layer divided into connection
events at interval
In a connection event all packets are on
same frequency
Master initiates all connection events
Connection can be closed or kept open
normally, by request or at error

Core [5]

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

13

Architecture: Controller::Link Layer BLE 4.0

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface

Nordic [3]
14

Architecture: (stepping back a bit) Advertising Channel Packet Structure


Generic
Packet
Structure

Generic
Advertising
PDU

Core [5]

7 Advertising Channel PDU Types


4 Advertising, 2 Scanning, 1 Connect-request
Each has its own payload specification
At least one address and possibly custom data
15

Architecture: (stepping back a bit) Data Channel Packet Structure

Core [5]

16

Architecture: Controller::Direct Test Mode

Used for end-product qualification of RF


transaction layer
All hardware must access directly using
Host Controller Interface or 2-wire UART
Transmit test mode:
test packets are generated
Receive test mode:
counts number of test packets
Standards of test packets and procedure
available in spec

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

17

Architecture: Controller::Host Controller Interface (HCI)

Transport between between host and controller


allows changes between split layers
Optional additional transport layer of UART,
USB, 3-wire
Accesses baseband, link manager commands
and registers
Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

HCI Interface (BLE CORE 4.1)

18

Architecture: Host

Sits on top of the Radio


Provides API to applications
Much more relaxed timing

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

19

Architecture: Host::L2CAP

Multiplexes between Attribute Protocol (ATT),


Security Manager (SMP) and Link Layer
controls through HCI
Creates channels to logical layer
Frame-oriented asynchronous and
isosynchronous transport, negotiated by
channel
Error detection
Pretty complicated part of the stack, punting a
bit here...
Although it is simplified from earlier
Bluetooth by not implementing flood control
or retransmission to save power
Backend for GAP

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

20

Architecture: Host::Security Manager

Three phase process on connection


pairing feature exchange
short term key generation
transport specific key distribution
(optional)
Implements a number of cryptographic
functions
Memory and processing requirements
are lower for responding
saves power

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

21

Architecture: Host::Attribute Protocol (ATT)

Client Server Architecture


ATT server stores and serves
data, client requests
Exposes data as a attribute
Attribute
16-bit handle used by client to
address attribute
UUID: defines type and set by
GAP and GATT
Value: length up to 512 octets
permissions: r/w/auth

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

22

Architecture: Host::Generic Attribute Profile (GATT)

Client Server Architecture (built on top of ATT)

Characteristics

Set of related attributes


One value, n descriptors
Exposes: features available, handle,
representation (units, type)
Defined as read/write/notify/indicate

Services

Gatt Server stores data using ATT


Gatt Server accepts ATT requests to serve and
save attributes

Set of related characteristics


primary: exposes functionality
secondary: referenced by primary

Profiles

Preconfigured global group of services


List available from Bluetooth SIG

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

23

Architecture: ATT and GATT

vancouver [1]

24

Architecture: Host::Generic Access Profile (GAP)

Defines procedures
discovery of identities, names, capabilities
connections
security
advertising and scan response formats
Defines roles
Broadcaster
only advertises
Observer
receives data from broadcasters
Peripheral
single connection devices
Central
device in charge of multiple
connections
Device can only play one roll (BLE 4.0)

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

25

Architecture: Applications

Applications are built on top


Interacts with host layer only
Different APIs depending on the application
environment

Apps

Applications

Generic Access Profile


Generic Attribute Profile
Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

26

Architecture: But wait...

BLE 4.1 released Dec 2013


changes the world
Device supports multiple simultaneous roles (e.g.
Peripheral and Central)!
Delay tolerant connections!
Devices can set up dedicated communication
channel!
Low duty directed advertising!
Coexistence screening!
Bulk data transfer!

Apps

Applications

Generic Access Profile

4.1

Generic Attribute Profile


Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

27

Architecture: Implications

Still unclear although...


More topologies possible
Delay tolerant networks possible
BLE to internet directly?
Many chips do not yet even partially
support
Apps

Applications

Generic Access Profile

4.1

Generic Attribute Profile


Attribute Protocol

Security Manager

Host

Logical Link Control and Adaptation Protocol


Host Controller Interface
Link Layer

Direct Test Mode

Controller

Physical Layer

28

Outline

History of Bluetooth
Introduction to BLE
Architecture
Controller
Host
Applications
Power
Topology
Example: Heartbeat Sensor/App
Competing formats
Citations

29

Power

Power function of lots of things


acceptable bit rate error
sample rate
transmit delays
list goes on...
Minimum transaction time (empty packet) takes approx 3ms
at 15mW tx power with 1.5V we get
15mW / 1.5V = 10mA
15mW * .003 S = 45mJ

200mAh coin cell -> 200mAh/10mA = 72,000 seconds (20 hours)


constant transmit time / 3ms a transaction = 24 million transactions

30

Outline

History of Bluetooth
Introduction to BLE
Architecture
Controller
Host
Applications
Power
Topology
Example: Heartbeat Sensor/App
Competing formats
Citations

31

Topologies (4.0)

piconets
Key:

Lines indicate a
connection
Groups indicate data
transmission

Core [5]
32

Topologies (4.1)

scatternets
Key:

Solid arrows point from


master to slave
dashed arrows indicate
connection initiation and point
from initiator to advertiser
advertiser are stars

Core [5]

33

Outline

History of Bluetooth
Introduction to BLE
Architecture
Controller
Host
Applications
Power
Topology
Example: Heartbeat Sensor/App
Competing formats
Citations

34

Example: Heartbeat Sensor / Android Phone

Simple Heartbeat sensor (HBS) that connects to


smartphone over BLE
HBS will send heartbeat reading and model number
Devices are initially not connected

35

Example: Advertisement

At GAP, HBS set to peripheral and phone is


central.
HBS sends advertising packet at next
Advertisement Event
Contains services that are supported
(raw heartbeat measurement)
Gets this info from GATT
Phone hears and sends Connection
Request packet
Contains parameters of connection
HBS receives connection request
Both devices wait Initial Delay decided by
master
HBS becomes slave and Phone becomes
master, starting a piconet.
Devices are connected!

Core [5]

36

Example: Advertisement

Webinar [4]
37

Example: Security (optional)

SMP pairing feature exchange initiated by Master or


Slave
Each calculates a short term key by exchanging
random numbers (16byte)
The short term key is then used to encrypt and decrypt
at SMP layer
A long term key can optionally be transmitted and kept
for multiple sessions

38

Example: Exchanging Data

Webinar [4]

39

Example: Exchange of Data::Sensor

Application.bgs

writes the value of adc0 to the xgatt_hb attribute

GATT.xml

ATT.txt

defines the xgatt_hb attribute

Primary Service: Information (GAP)

UUID: 1800

Characteristic: Device Name

UUID: 2a00

readable

Characteristic: Appearance

UUID: 2a01

readable
Primary Service: Heartbeat Reading Service

UUID: deaddead-dead-dead-dead-deadeadead

Characteristic: Raw HB reading

UUID: beefbeef-beef-beef-beef-beefbeefbeef

notification, readable

Attribute: xgatt_hb

40

Example: Exchange of Data::Android

41

Outline

History of Bluetooth
Introduction to BLE
Architecture
Controller
Host
Applications
Power
Topology
Example: Heartbeat Sensor/App
Competing formats
Citations

42

Competing Formats: Zigbee

Low cost/power wireless standard


Older and more established than bluetooth
802.15.4 PHY and MAC
ISM Band PHY
Up to 250kbps data transmission
Star, mesh, and cluster tree topologies
Slightly higher power than BLE
Not integrated into widely used devices

43

(Non)Competing Formats: NFC

Builds upon RFID standards for two way communication


Can be read unpowered
No universally accepted standard
although attempts have been made
Can be alongside bluetooth and wifi
Android Beam uses it to initiate bluetooth pairing
S-Beam uses it to initiate wifi direct

44

Outline

History of Bluetooth
Introduction to BLE
Architecture
Controller
Host
Applications
Power
Topology
Example: Heartbeat Sensor/App
Competing formats
Citations

45

Citations

vancouver http://chapters.comsoc.org/vancouver/BTLER3.pdf
ncbi http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3478807/
nordic http://www.eabeurs.nl/files/7013/7085/2988/3_Introduction_to_Bluetooth_low_energy.pdf
webinar https://developer.bluetooth.org/DevelopmentResources/Pages/Webinars.aspx
core https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=282159
world http://litepoint.com/whitepaper/Bluetooth%20Low%20Energy_WhitePaper.pdf
gatt_att http://teleorigin.com/download/Bluetooth/Low%20Energy/Profile_development_BLE.pdf
ee_times http://www.eetimes.com/document.asp?doc_id=1278966

46

Questions?
Comments?
Discussion?

47